Identity and Access Mgmt and

electronic Identities

Belgian Federal Government

Walter Van Assche

January 16th, 2012

Chisinau

ELECTRONIC IDENTITY

(CARD)

Goal eID project• To give Belgian citizens an electronic identity

card enabling them to authenticate themselves

towards diverse applications and to put digital

signatures

Proof of identity

Signature tool

eID partners

The eID as an e-gov. building block

Belgian eID Project Time line

22 Sept 2000: Council of Ministers approves eID card concept study

2000

19 July 2001: Council of Ministers approves basic concepts (smart card, citizen-

certificates, no integration with SIS card, Ministry of Internal Affairs is

responsible for RRN’s infrastructure, pilot municipalities, helpdesk, card

production, legal framework,… Fedict for certification services

2001

Start of 2009: all citizens have an eID

card

2009

13 Dec 1999: European Directive 1999/93/EC on Electronic Signatures

1999

3 Jan 2002: Council of Ministers assigns RRN’s infrastructure to NV Steria

2002

27 Sept 2002: Council of

Ministers assigns card

production to NV Zetes,

certificate services to NV

Belgacom

2002

9 May 2003: first pilot municipality

starts issuing eID cards 25 July 2003: eleventh pilot municipality started

31 March 2003: first 4 eID cards

issued to civil servants

2003 2004

25 January 2004: start of pilot phase evaluation

September 2005: all newly issued ID

cards are eID cards

2005

27 September 2004: start of nation-wide roll-out

The eID “product family”

Kids-ID

Foreigner-ID

eID

8

The eID: results• eID:

– More than 8.6 Million cards issued (2nd wave)

• Kids-ID:

– Potential: 1,3 Million cards

– More than 100.000 cards issued since March 2009

• Foreigner-ID:

– Potential: 1,5 Million cards

– More than 150.000 cards issued since 2008

Internet

Web Server

External Portal

Application

Server

Web Server

Federal ePortal

ePortal

User

LDAP

External Firewall

Application

Server

1) Request

3) Login in ePortal

Authentication page

4.2) Checking Credetials

2) Redirect to ePortal

Login page

5.1) Redirect with SAML

Response (Posting with

JavaScript)

5.2) Redirect with SAML

Response

External Firewall

4.1) Checking Credetials

6) Session Creation

How does it work?

Alternatives with different security

levels• Different security levels :

– level 0 : Public access

– level 1 : User name + Password

– level 2 : User name + Password + Token

– level 3 : Electronic identity card

• Future evolutions (based on eID) :

– Mobile Identity

– One Time Password Generators?

Level 0

Level 1

Level 2

Level 3

IDENTITY AND ACCESS

MANAGEMENT IN EGOV

UserApplication

Getting access

© Fedict 2009. All rights reserved | p. 12

What is IAM?

A simple story…

UserApplication

Identification

& authentication

Getting access

© Fedict 2009. All rights reserved | p. 13

What is IAM?

A simple story…

UserApplication

Identification

& authentication

Attributes

(Name,

Company,…)

NRNKBO

Notarissen …

Getting access

What is IAM?

A simple story…

UserApplications

Identification

& authentication

Attributes

(Name,

company,…)

NRNKBO

Notarissen …

Getting access

What is IAM?

A simple story…

Permissions

Roles

Chief Security Mgr

UserApplication

Identification

& authentication

Attributes

(Name,

Company,…)

NRNKBO

Notarissen …

Getting access

Legal Representative

KBO

Granting access

© Fedict 2009. All rights reserved | p. 16

What is IAM?

A simple story…

Permissions

Work

flow

Security Manager

Roles

© Fedict 2009. All rights reserved | p. 17

IAM…. In a complex reality

Manage

Identity

Manage

Virtual

Identity

Attestation

Reporting

Risk

Definition

Relying Party

Management

Auditing

Manage

Organizationa

l Membership

Manage Role

Definition

Manage

Permission

Mandate

Management

Manage

Domains

Manage

Contexts

Request

Permission

Authenticate

Process overview

© Fedict 2009. All rights reserved | p. 18

Relevance of IAM within

eGovernment context

Transparance:

• Granting of transparant access to different applications and information sources of the Belgian government

Security:

• Avoid unauthorized access to information sources and applications of the federal government

Trust and trustworthy:

• Decent service provider

Autonomy:

• Ensure the “uniqueness” of each of the partners

Governance structure:

• The rules and agreements within an IAM context

© Fedict 2009. All rights reserved | p. 19

Security management

>> An historical agreement

An agreement is being defined between Belgian government partners, providing a

basis for an integrated security management

A joint security management platform will be offered as a managed service

All partners can participate in the steering group of the joint platform

…..

Federated context

>> co-existance

Context of OCMW Context of Federale governmentContext of local governments

© Fedict 2009. All rights reserved | p. 21

Federated context: Example

>> Digiflow

UserDigiflow

Identification

& authentication

Attributes

(Name,

Company,…)

NRNKBO

Notarissen …

Permissions

Getting access

UserTax on web

Identification

& authentication

Attributes

(Name,

Company,…)

NRNKBO

…

Getting access

Legal represetative

Head Security Mgr

Permissions

Security Mgr

Roles

Work

flo

w

KBO

Granting access

© Fedict 2009. All rights reserved | p. 22

Federated context: Example

>> Tax on Web for accountants Mandate Mgt

Fedict IAM offeringTrusted Third Party

Auth

entic

sourc

es

Circ

le o

f Tru

stFAS

Role

Adm

in

Application A

Application X

RR

BIS

KBO

User

Rely

ing P

arty

Admin

…

Fedict IAM evolutionCurrent building blocks Optimized building blocks

RoleMgt

Authentication

UserMgt

Role Admin

Citizen Admin

TUM Self

Service

Magma

MagmaWS

FAS1FAS+

Attribute

Service

CSAdmin

VOSync

Reporting

RoleMgt

Authentication

UserMgt

Self

Registration

Self

Management

User Lifecycle

ManagementRisk

Management

Role Definition

Management

Role

Assignment

Organization

Assignment

Identification &

Authentication

Attribute

Publication

Relying Party

Management

Reporting

Management

EU pilots that work on

cross-border interoperability

© fedict 2011. All rights reserved

Company Dossier

Citizen IDC

itiz

en

ID

Co

mp

any

ID

Privacy

TransportInfrastructure

Company Dossier

Citizen ID

Cit

ize

n ID

Co

mp

any

ID

Privacy

TransportInfrastructure

Tra

nsp

ort

In

fra

stru

ctu

re

Overview of LSP’s Collaborations

Thank you

Fedict

Maria-Theresiastraat 1/3 Rue Marie-Thérèse

Brussel 1000 Bruxelles

TEL. +32 2 212 96 00 | FAX +32 2 212 96 99

info@fedict.belgium.be | www.fedict.belgium.be